If you want to match the expected security policy when there are a lot of security policies configured with the same source and destination zones , it is strongly recommended to must have the source and destination zones . In a case where the zones are not specified, then the test command will return results for rules based on zones that the source and destination IP addresses do not belong in.